ECE/CS 584: Hybrid Automaton Modeling Framework
Invariance, Abstractions, Simulation
Lecture 04Sayan Mitra
Plan for Today
• Invariants (continued)• Abstraction• Simulation relations
Inductive Invariants• Given a hybrid automaton = • An S is an invariant if S• An invariant S is inductive if for any v ∈ S
– If v—a v’ then v’ ∈ S– If v—τ v’ then v’ ∈ S
• Theorem: For any set of states S if 1. for any v ∈ start state, v ∈ S2. If v ∈ S and v—a v’ then v’ ∈ S3. If v ∈ S and v—τ v’ then v’ ∈ SThen Reach
• Proof rule for establishing an inductive invariant S• Checking an inductive invariant is relatively simple• Finding useful invariants is in general more involved
Invariants and Inductive Invariants
• All invariants inductive? No– Examples: x≤ h (not inductive)– x≤ h /\ v2 = 2g(h-x)
Pre and Post Computations• For a given set of states Q’ Q, and action a A
– Post_Trans(Q’, a) = { v’ | ∃ v ∈ Q’, v—a v’}– Post_Trans_Mul(Q’, A’) = { v’ | v ∈ Q’, a* ∈ A, v—a* v’} and A’ = {a*}.– Post_Traj(Q’,) = { v’ | ∃ v ∈ Q’, τ ∈ , v—τ v’}– Post(Q’) = Post_Trans(Q’, a) ∪ Post_Traj(Q’) || Post_Trans(Q’,A’) ∪ Post_Traj(Q’,
• FixPoint: Let S be a set of states and F : P(S) P(S) i.e a function on the power set of S, then a subset X of S is called a fixed point of F iff F(X) = X.• Theorem: S is an inductive invariant iff it is a fixpoint of Post() and it contains
– Pre_Trans_Mul(Q’, A’) = { v | ∃ v’ ∈ Q’, a* ∈ A, v—a* v’} and A’ = {a*}.– Pre_Trans(Q’, a) = { v | ∃ v’ ∈ Q’, a∈ A, v—a v’}.– Pre_Traj(Q’,) = { v | ∃ v’s ∈ Q’, τ ∈ , v—τ v’}– Pre(Q’) = Pre_Trans(Q’, a) ∪ Pre_Traj(Q’,) || Pre_Trans_Mul(Q’, A’) ∪ Pre_Traj(Q’,)
Abstractions
• Invariants overapproximate the set of reachable states
• E.g. “height is always less than h”• Abstractions overapproximate executions• E.g. “there is a bounce every cn seconds”
Pablo Picasso, Portrait of Gertrude Stein, 1906, MOMA, New York. When someone commented that Stein didn't look like her portrait, Picasso replied, "She will". From Wikipedia.
Abstraction and Implementation ()
• 1 and 2 are comparable if they have the same external interface, i.e., E1 = E2
• For two comparable automata, 1 implements 2 if Traces1 Traces2
• 2 is an abstraction of if Execs1 Execs2
• 1 is a refinement of
Abstract Bounce
Concrete Automaton Bouncingball(c,v0,g)
variables: analog x: Reals := 0, v: Reals := v0
actions: external bounce transitions: bounce
pre x = 0 /\ v < 0eff v := -cv
trajectories:evolve d(x) = v; d(v) = -ginvariant
AbstractAutomaton BounceAbs(c,h,g) variables: analog timer: Reals := ,
n:Naturals=0;
actions: external bounce transitions: bounce
pre timer = 0eff n:=n+1; timer :=
trajectories:evolve d(timer) = -1invariant timer
Simulations
• Forward simulation relation from 1 to 2 is a relation R such that1. For every x1 ∈ there exists x2 ∈ such that x1 R x2
2. For every x1 –a1 x1’ ∈ and x2 ∈ such that x1 R x2, there exists x2’ such that • x2 – x2’ and
• x1’ R x2’
• Trace() = Trace(a1)
3. For every ∈ andx2 ∈ such that x1 R x2, there exists x2’ such that • x2 – x2’ and
• x1’ R x2’• Trace() = Trace(
• Theorem. If there exists a forward simulation relation from 1 to then Traces1 Traces2
State Machine 2 Implements State Machine 1
Forward Simulation for Abstraction
• Forward simulation relation from 1 to 2 is a relation R such that1. For every x1 ∈ there exists x2 ∈ such that x1 R x2
2. For every x1 –a1 x1’ ∈ and x2 ∈ such that x1 R x2, there exists x2’ such that • x2 – x2’ and
• x1’ R x2’
3. For every ∈ andx2 ∈ such that x1 R x2, there exists x2’ such that • x2 – x2’ and
• x1’ R x2’
• Theorem. If there exists a forward simulation relation from 1 to then Execs1 Execs2
Characteristics of Hybrid Automata• Guards, Transition relations, Invariants,
DAEs written in some language• These objects define the Transitions
and Trajectories • Transitions and trajectories define
executions and traces• Decidability of verification problem will
depend on the choice of the language• Nondeterministic
– Transition choice – Transition relation– Branching trajectories
• External interface– External actions– Further partitioned into I/O actions– External variables available in the
hybrid I/O automaton model
• Special cases
– Deterministic HA
– Rectangular HA
– (Alur-Dill) Timed Automata
– X = Finitely many variables with finite types Finite State Machine with Labeled transitions
– X = n real valued variables {x1, …, xn} and A = {} D = {} Dynamical System